This is your phone on mining software. Any questions?

Share this story

A newly discovered piece of Android malware carries out a litany of malicious activities, including showing an almost unending series of ads, participating in distributed denial-of-service attacks, sending text messages to any number, and silently subscribing to paid services. Its biggest offense: a surreptitious cryptocurrency miner that's so aggressive it can physically damage an infected phone.

Trojan.AndroidOS.Loapi is hidden inside apps distributed through third-party markets, browser ads, and SMS-based spam. Researchers from antivirus provider Kaspersky Lab have dubbed it a "jack of all trades" to emphasize the breadth of nefarious things it can do. Most notably, Loapi apps contain a module that mines Monero, a newer type of digital currency that's less resource intensive than Bitcoin and most other cryptocurrencies. The module allows the malware creators to generate new coins by leaching the electricity and hardware of infected phone owners.

But the lower demands of Monero mining by no means stop Loapi from straining infected phones. Kaspersky Lab researchers tested Loapi in a lab setting. After two days, the mining caused the battery in the phone to bulge so badly it deformed the cover. The researchers provided the pictures above as evidence.

Loapi is a nuisance in other ways that go beyond covert coin mining. It sends an unending barrage of prompts for users to assign it administrator permissions. Once granted permission, Loapi makes it hard for victims to install security apps that can help disinfect the phone. It can subscribe a phone to costly premium services and even covertly send codes in SMS messages to confirm the request. It allows attackers to use infected phones as foot soldiers in DDoS attacks. And it displays a constant stream of ads. There are no indications Loapi apps have ever been available through Google Play.

"We've never seen such a 'jack of all trades' before," Kaspersky Lab researchers wrote. Later in the post, they added: "The only thing missing is user espionage, but the modular architecture of this Trojan means it's possible to add this sort of functionality at any time."

Promoted Comments

Shouldn't this be something that the phone actively prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware. Even if you get a point where a phone can't mine coins this could still make for some brutal ransomware. Instead of just deleting your files if you don't pay the ransom it will physically destroy your $500+ smartphone.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

It does make one wonder why this is permitted by the malware author. If the goal is to surreptitiously mine crypto currency, which is a dick move but at least understandable, designing the malware to also throw unlimited ads at a user is begging them to fix the device. It’s just bad design.

I mean even if the authors are making money off the ads, again, the volume of ads here is practically begging the users to do something about it.

Shouldn't this be something that the phone actively prevents? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware. Even if you get a point where a phone can't mine coins this could still use it to make for some brutal ransomware. Instead of just deleting your files if you don't pay the ransom it will physically destroy your $500+ smartphone (and delete your files).

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

Most notably, Loapi apps contain a module that mines Monero, a newer type of digital currency that's less resource intensive than Bitcoin and most other cryptocurrencies.

Not quite, I don't think.

I believe Monero mining is designed specifically to use MORE memory than other cryptocurrencies, to make it less amenable to mining via GPU or ASIC. That's why it's relatively easier to mine Monero with regular CPUs. So if anything, it's more resource intensive. Depending on what you mean by resource.

Shouldn't this be something that the phone should prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

The part of the Android ecosystem that does that is the Play Store it's supposed to detect and not allow apps that do things like this. And it looks like it's working. You can't monitor everything all the time without massive processing requirements, which are impractical....

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

Shouldn't this be something that the phone actively prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware. Even if you get a point where a phone can't mine coins this could still make for some brutal ransomware. Instead of just deleting your files if you don't pay the ransom it will physically destroy your $500+ smartphone.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

It does make one wonder why this is permitted by the malware author. If the goal is to surreptitiously mine crypto currency, which is a dick move but at least understandable, designing the malware to also throw unlimited ads at a user is begging them to fix the device. It’s just bad design.

I mean even if the authors are making money off the ads, again, the volume of ads here is practically begging the users to do something about it.

I'm not exactly sure why the battery bulged - isn't that the case if the phone was overcharged? I've got a POS Nexus 9 that probably would overheat if this came on to it for sure, but I doubt the battery would bulge.

The phone in the picture looks to be a Nexus 5. Which, the cover easily comes off and that's a $20 fix. Other phones OTOH...

Shouldn't this be something that the phone actively prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware. Even if you get a point where a phone can't mine coins this could still make for some brutal ransomware. Instead of just deleting your files if you don't pay the ransom it will physically destroy your $500+ smartphone.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

It does make one wonder why this is permitted by the malware author. If the goal is to surreptitiously mine crypto currency, which is a dick move but at least understandable, designing the malware to also throw unlimited ads at a user is begging them to fix the device. It’s just bad design.

I mean even if the authors are making money off the ads, again, the volume of ads here is practically begging the users to do something about it.

Lots of malware builders are just idiots. Once you have modular extensible malware development tools you will have someone clicking every checkbox and try it just to see what happens.

Sometimes I wonder if the facebook app is mining bitcoins. Get double the battery life once uninstalled, don't even need to be signed into facebook without the battery drain.

I tried the facebook app for less than a month, about 3 or 4 years ago, uninstalled it, and have used the web browser to access fb ever since. It totally killed my batter. I considered it malware. Apparently, facebook never fixed that.

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

They let you override thermal throttling from an app?

That is a serious design issue if true, but I am not going to believe it without a reference.

They might let you make a suggestion as to the CPU profile, but that is not the same thing as letting it override the safety mechanism which prevents it from overheating and possibly causing damage (that will be hardware, firmware, or a privileged and probably signed driver).

My guess is the hardware vendor did not stress test it to that degree, their battery manufacturing was not quite up to the samples they did their testing on, or it is not a new phone and the battery is degrading.

Sometimes I wonder if the facebook app is mining bitcoins. Get double the battery life once uninstalled, don't even need to be signed into facebook without the battery drain.

So true. For years now this has been my go-to solution for friends/family who complain about their battery life. Uninstall FB, put a browser shortcut to the site on their home screen. It's amazing; everyone I've done it for says it at least doubles their battery life. Like, they go from having to charge in the afternoon to going to bed with 30% remaining.

Of course, now they're forcing mobile users to use Messenger, so this trick probably won't continue to work for most people unless Messenger is significantly better behaved than the main app. There's a workaround to trick FB into presenting the desktop version on a mobile device---so you actually don't need Messenger on your phone to use chat---but it's too clumsy for most users. The actual solution is just to delete all of it and check it once a week for ten minutes on your PC, but that's not actually helpful advice for most people.

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

They let you override thermal throttling from an app?

That is a serious design issue if true, but I am not going to believe it without a reference.

They might let you make a suggestion as to the CPU profile, but that is not the same thing as letting it override the safety mechanism which prevents it from overheating and possibly causing damage (that will be hardware, firmware, or a privileged and probably signed driver).

My guess is the hardware vendor did not stress test it to that degree, their battery manufacturing was not quite up to the samples they did their testing on, or it is not a new phone and the battery is degrading.

Changing anything CPU governor related requires root access. It's all kernel controlled. If this is a Nexus 5 then the battery is likely 3-4 years old.

Sometimes I wonder if the facebook app is mining bitcoins. Get double the battery life once uninstalled, don't even need to be signed into facebook without the battery drain.

Same could he said of a lot of social media apps. Of you HAVE to have social media on your phone I'd suggest Metal. It uses the mobile web version of Facebook and Twitter, disabling a lot of the intrusiveness of said apps. It also closes itself once the app shits off so it does not run in the background. Thought it does take longer to resume after you "tab out".

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

They let you override thermal throttling from an app?

That is a serious design issue if true, but I am not going to believe it without a reference.

They might let you make a suggestion as to the CPU profile, but that is not the same thing as letting it override the safety mechanism which prevents it from overheating and possibly causing damage (that will be hardware, firmware, or a privileged and probably signed driver).

My guess is the hardware vendor did not stress test it to that degree, their battery manufacturing was not quite up to the samples they did their testing on, or it is not a new phone and the battery is degrading.

Changing anything CPU governor related requires root access. It's all kernel controlled. If this is a Nexus 5 then the battery is likely 3-4 years old.

So unless it roots the phone or has a way around that, it was running within rated spec.

While the malware is certainly bad, I am not sure we can call that the cause of physical harm here. That could as easily have been a game, the desire to know pi to as many digits as possible, a monster porn session, or any other long running CPU intensive process.

Also, a more efficient algorithm does not necessarily mean it will heat the CPU less. That has a lot more to do with how good your implementation is at avoiding waits. Usually the way you get a program to run hot is to arrange for it not to be waiting on main memory much, and to keep as many execution units as possible fed (which has a large amount of overlap with running quickly).

All it really means is they optimized their malware for speed, and likely did a pretty good job of it.

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

Since you brought it up, Apple also throttles based on the status of your battery masking a degraded battery that it may have to replace. By ricochet it also induces the notion to the consumer that the iphone has become slow and must be replaced. This behavior is HIDDEN to the user.

Sometimes I wonder if the facebook app is mining bitcoins. Get double the battery life once uninstalled, don't even need to be signed into facebook without the battery drain.

Since it's so network-intensive, it's probably activating every device in a smartphone (GPS, compass, Bluetooth, Wifi, Data, you name it) to monitor what you're doing and check your feed every few seconds in case a notification comes in (or to keep open a chat client, or something). Not having it on my phone, I don't know what permissions are mandatory (that you can't turn off) or what it actually does when used normally.

I do know that if I leave my devices on in my phone like that, my phone drains in under two days without any use. It lasts more than twice as long with them all turned off.

Granted, smartphones aren't created equally, but just eliminating something that constantly uses devices means that those devices aren't going to be as active, therefore will use less power, therefore the battery will last longer.

While I wouldn't put it past Facebook to do that (Honestly, I think they're evil fucks who need to have the whole thing crash and burn), I figure with all the experts out there looking at this stuff, someone would have found out about it or blown the whistle by now. In this youtube age where people will cement their heads into a microwave oven, anything that gets as much attention as that would garner would be a huge incentive for some nameless geek to bring the practice to light.

\So unless it roots the phone or has a way around that, it was running within rated spec.

While the malware is certainly bad, I am not sure we can call that the cause of physical harm here. That could as easily have been a game, the desire to know pi to as many digits as possible, a monster porn session, or any other long running CPU intensive process.

Also, a more efficient algorithm does not necessarily mean it will heat the CPU less. That has a lot more to do with how good your implementation is at avoiding waits. Usually the way you get a program to run hot is to arrange for it not to be waiting on main memory much, and to keep as many execution units as possible fed (which has a large amount of overlap with running quickly).

All it really means is they optimized their malware for speed, and likely did a pretty good job of it.

One anecdote of evidence is the one plus one - that phone got hot. Do any tasks along with charging and it will get really hot.

I'm willing to bet the combination of both did the phone battery in. Otherwise a N5 isn't going to last over a day doing stuff like that without USB plugged in. Willing to bet most phones wouldn't last longer either.

Bad hardware design meets bad security. A lot of Android phones should get the more dubious title of IoT, given their casual approach to patching and updates.

What does patching or updates have anything to do with this app, seeing how the user has to grant every permission for it to run, including installing it?

It is up to the operating system to monitor the thermal sensors and direct the clocks to slow down to protect the system. I had thought this was a part of the Kernel Thermal Management system in Android and not subject to user-space fiddling. I had though that certain OEM vendors had tinkered with KTM to get their phone's to spec better.

..but not that I think about it, this has likely been done wrong in even the latest and greatest Android releases.

Or the the phone is shipped without a correctly wired battery thermal sensor.

It is up to the operating system to monitor the thermal sensors and direct the clocks to slow down to protect the system. I had thought this was a part of the Kernel Thermal Management system in Android and not subject to user-space fiddling. I had though that certain OEM vendors had tinkered with KTM to get their phone's to spec better.

..but not that I think about it, this has likely been done wrong in even the latest and greatest Android releases.

Or the the phone is shipped without a correctly wired battery thermal sensor.

Typically there are no user space controls for this, although 3rd part roms might allow changing the governor.

Stock wise, nothing is inherent to android with how an OEM decides what clock speeds or what limits to impose - that's all kernel level, not android level. Android 5,6 7 or whatever else has no bearing on this. Android can be totally oblivious to what's going on as it wouldn't want a user to be able to override this ever.

As another example, using a car dash cam app on a cheap ZTE phone would cause it to stop charging due to excessive heat. But that's not an Android setting - that's ZTE who did that.

Also, look at my above post - without it being plugged in I doubt this app could run for more than a few hours straight crypto mining.

I'm not exactly sure why the battery bulged - isn't that the case if the phone was overcharged? I've got a POS Nexus 9 that probably would overheat if this came on to it for sure, but I doubt the battery would bulge.

The phone in the picture looks to be a Nexus 5. Which, the cover easily comes off and that's a $20 fix. Other phones OTOH...

This looks like a battery bulge problem. If this is a Nexus 5, as you (and I) suspect, then the heat from running the miner could have caused the battery to swell. I've had an old Nexus 4 do this because I was running Alfred on it 24/7.

Why don't we reverse engineer the malware and use the millions of devices to shut down servers, mainframes of the assholes who let this happen. You can brute force almost anything with that much bandwidth and processing power. By the way you can engineer software to over ride any hardware. I once had a virus that could overheat computers and crack the chipsets. No amount of hardware can prevent that. I'm just saying since they want to use our own devices against us without permission what's the harm in using it against them? What are they going to do sue us LMFAO!!! 😱

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

They let you override thermal throttling from an app?

That is a serious design issue if true, but I am not going to believe it without a reference.

They might let you make a suggestion as to the CPU profile, but that is not the same thing as letting it override the safety mechanism which prevents it from overheating and possibly causing damage (that will be hardware, firmware, or a privileged and probably signed driver).

My guess is the hardware vendor did not stress test it to that degree, their battery manufacturing was not quite up to the samples they did their testing on, or it is not a new phone and the battery is degrading.

Changing anything CPU governor related requires root access. It's all kernel controlled. If this is a Nexus 5 then the battery is likely 3-4 years old.

It's interesting to consider this in light of todays supposed scandal of the century, namely the claim that Apple throttles back the performance on iPhones with batteries that are going bad.

Without commenting on this particular claim (the evidence so far released for it strikes me as amenable to multiple interpretations), let's assume it's a general fact of chemistry in the world of actually existing batteries (as opposed to magical batteries made of unobtainium) that they decay in such a way that the maximum current they can sustain initially drops by, I don't know, let's say 50% after two or three years of use. Given this fact, what is a manufacturer to do? The options appear to be

- spec all hardware to the worst possible situation the battery could ever be in. (Meaning what, the battery state after ten years, at 10% of initial power provision)? That means REALLY slow phones.

- do nothing and hope it's not a problem. This would APPEAR to be what's happening here (though of course we'd need more data to confirm). The OS and/or firmware may spec the maximum current draw to be something that was appropriate when the phone was sold, but is now higher than the battery can support.

- track battery capability over time and proactively dial down how fast the phone runs. This would appear to be what Apple is doing, and I'm not sure why it's considered such a scandal. To ME it seems like the best of the three choices on offer, and if you have a better choice available, speak up.

I don't know what the industry as a whole could do better. I'm sure the usual SJWs, eager to find a new pointless cause to assault, will insist on "disclosure". OK, so then what, we get the laws passed, or public pressure, gets Apple (and the premier Android companies) to now include a disclaimer that "phone performance will decay over the lifetime of the phone, and is normally about 75% of initial performance after three years". At which point absolutely nothing changes because, WTF are you going to do with that information? Not buy a phone? Buy the shady no-name brand phone that claims to have a magic battery that doesn't decay?(Yeah yeah, usual crowd will make their pitch for replaceable battery. Guys, the whole world has spoken and the mass market is not interested. Hearing that the phone they intend to replace in two years will be slightly slower after three years won't change that...)

Sometimes the laws of nature suck, and I suspect this is one of these times.

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

Since you brought it up, Apple also throttles based on the status of your battery masking a degraded battery that it may have to replace. By ricochet it also induces the notion to the consumer that the iphone has become slow and must be replaced. This behavior is HIDDEN to the user.

Shouldn't this be something that the phone should prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

The part of the Android ecosystem that does that is the Play Store it's supposed to detect and not allow apps that do things like this. And it looks like it's working. You can't monitor everything all the time without massive processing requirements, which are impractical....

The question is, why isn't battery temperature being monitored by the firmware in a similar way?

The battery is required, by law, to monitor its own temperature. Anything over 60C/140F is considered dangerous and will cause swelling.

If it gets really hot (still within ranges a fanless CPU can reach) the battery will begin a thermal runaway and catch fire, with no way to stop it burning except wait for it to run out of fuel. This is why batteries aren't allowed in the cargo of an passenger airplane and its illegal to make a laptop with more than 100Wh. At least if a small battery burns in the cabin, the captain can find a safe place for an emergency landing before the fire gets too bad.

The battery should have detected this malware and cut power to the phone.

But on a cheap phone these things aren't always calibrated properly... and the calibration is complicated, it needs to be tuned to match the condition of the battery as it changes over the life of a phone.

Even the best phone manufacturers get it wrong sometimes, the iPhone 6 model was prone to occasional shutdowns that ended up being older batteries cutting power under normal loads - recently fixed by updating the firmware to reduce CPU clock speeds as the battery cycle count increases.

If your device overheats under load, that is a hardware problem, not a software issue.

This is likely to affect any well optimized program, not just malware.

Current phones are all designed to throttle under sustained load, they can't run at full speed for sustained periods of time. However, it is possible to override with software. It's likely that's what this is doing.

Since you brought it up, Apple also throttles based on the status of your battery masking a degraded battery that it may have to replace. By ricochet it also induces the notion to the consumer that the iphone has become slow and must be replaced. This behavior is HIDDEN to the user.

Edit: It would be nice if Ars ran an investigation. This looks like class action material.

This seems more like prudent engineering than class action material.

If the battery is going to degrade regardless (which it will), doing the best it can with what it has seems like the best option.

The point being made in the article is, users should be informed if the issues is CPU related, software related, or battery related. They make the case/point that some users may buy a new phone because performance is reduced, when the solution is simply a new battery, not because ios updates made you slower (well they did but not because of code bloat but to keep 6s users from having shutdowns due to high CPU energy draw).

Shouldn't this be something that the phone should prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

The part of the Android ecosystem that does that is the Play Store it's supposed to detect and not allow apps that do things like this. And it looks like it's working. You can't monitor everything all the time without massive processing requirements, which are impractical....

The question is, why isn't battery temperature being monitored by the firmware in a similar way?

The battery is required, by law, to monitor its own temperature. Anything over 60C/140F is considered dangerous and will cause swelling.

If it gets really hot (still within ranges a fanless CPU can reach) the battery will begin a thermal runaway and catch fire, with no way to stop it burning except wait for it to run out of fuel. This is why batteries aren't allowed in the cargo of an passenger airplane and its illegal to make a laptop with more than 100Wh. At least if a small battery burns in the cabin, the captain can find a safe place for an emergency landing before the fire gets too bad.

The battery should have detected this malware and cut power to the phone.

But on a cheap phone these things aren't always calibrated properly... and the calibration is complicated, it needs to be tuned to match the condition of the battery as it changes over the life of a phone.

Even the best phone manufacturers get it wrong sometimes, the iPhone 6 model was prone to occasional shutdowns that ended up being older batteries cutting power under normal loads - recently fixed by updating the firmware to reduce CPU clock speeds as the battery cycle count increases.

I don't think overheating is the ONLY issue that causes swollen batteries.I had an iPhone5 that recently swelled its battery, and that never overheated, not when I was using it full time, not when it retired to minor service as my traveling phone.

Monitoring temperature is easy enough that I just don't see it as a big problem, at least in the name brand phones; which is why my analysis above operated on the hypothesis that it's something more difficult to monitor (like maximum safe current draw) that is deteriorating over time.

Shouldn't this be something that the phone actively prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware. Even if you get a point where a phone can't mine coins this could still make for some brutal ransomware. Instead of just deleting your files if you don't pay the ransom it will physically destroy your $500+ smartphone.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

It does make one wonder why this is permitted by the malware author. If the goal is to surreptitiously mine crypto currency, which is a dick move but at least understandable, designing the malware to also throw unlimited ads at a user is begging them to fix the device. It’s just bad design.

I mean even if the authors are making money off the ads, again, the volume of ads here is practically begging the users to do something about it.

The FCC stepped in and regulated broadcast television ads basically in the single digit years of terrestrial broadcast and consumer TV sets coming into existence, and long before they were ubiquitous. In the classic "Over-the-Internet" framework which we still try ignorantly to pretend is the Wild Wild West, we're a couple decades into Internet / PC / smartphone ubiquity and still no advertising regulation, though ads certainly violate federal statutes in the form of CFAA.

I don't recall a time which ads were able to blow up television sets or mark-ably change their energy consumption, though I have no doubt that the volume wars of the 90's probably blew out some speakers (notably the same time advertisers learned the government had no hands on the wheel with the Internet or really any content producers).

I guess I am just trying to point out that these things would never had gotten out of hand if advertising had been properly shackled in the 90's. The number of malicious coders thinking any Internet connected device's spare CPU cycles belonged to them would be massively reduced as a matter of community attitudes if not for the massively employment of ethically grey / immoral / illegal programming for ad networks. Nobody is afraid to be an outlaw over the Internet because the sheriffs have yet to show up, much less have a mandate to stop bad guys.

Shouldn't this be something that the phone should prevent? I mean let's pretend that cryptocurrencies don't exist. This exploit has still shown one could create malware that destroys phone hardware.

I wonder why the phone didn't throttle or detect excessive temperature and shutdown.

The part of the Android ecosystem that does that is the Play Store it's supposed to detect and not allow apps that do things like this. And it looks like it's working. You can't monitor everything all the time without massive processing requirements, which are impractical....

The question is, why isn't battery temperature being monitored by the firmware in a similar way?

The battery is required, by law, to monitor its own temperature. Anything over 60C/140F is considered dangerous and will cause swelling.

If it gets really hot (still within ranges a fanless CPU can reach) the battery will begin a thermal runaway and catch fire, with no way to stop it burning except wait for it to run out of fuel. This is why batteries aren't allowed in the cargo of an passenger airplane and its illegal to make a laptop with more than 100Wh. At least if a small battery burns in the cabin, the captain can find a safe place for an emergency landing before the fire gets too bad.

The battery should have detected this malware and cut power to the phone.

But on a cheap phone these things aren't always calibrated properly... and the calibration is complicated, it needs to be tuned to match the condition of the battery as it changes over the life of a phone.

Even the best phone manufacturers get it wrong sometimes, the iPhone 6 model was prone to occasional shutdowns that ended up being older batteries cutting power under normal loads - recently fixed by updating the firmware to reduce CPU clock speeds as the battery cycle count increases.

I don't think overheating is the ONLY issue that causes swollen batteries.I had an iPhone5 that recently swelled its battery, and that never overheated, not when I was using it full time, not when it retired to minor service as my traveling phone.

Monitoring temperature is easy enough that I just don't see it as a big problem, at least in the name brand phones; which is why my analysis above operated on the hypothesis that it's something more difficult to monitor (like maximum safe current draw) that is deteriorating over time.

Battery chemistry is very finicky and frequently pushed to the limits of both capability and cost since it is the major limiting factor in many applications.

Past issues have been due to a variety of things, both heat and high discharge rates tend to make the chemicals involved in storing the charge much less stable, so they go bad faster (breaking down into gasses which cause your battery to bulge). Minor impurities can also have a fairly large effect.

Usefully predicting it is also a hard problem, but one many companies have a good deal of experience with. In this case it looks like they got it wrong (which happens, and combined with the effects of lower exterior pressure on an already swelling battery is why airlines would rather not ship them in a cargo hold).